The Analyze button in the Security Translation wizard is not identifying all the profiles that need (NETIQKB19484)

  • 7719484
  • 02-Feb-2007
  • 08-Sep-2008

Resolution

fact
Domain Migration Administrator 7.x

symptom
The Analyze button in the Security Translation wizard is not identifying all the profiles that need to be translated.

cause
This is a known issue with the Analyze feature. This issue was first partially resolved in DMA 7.1 Hotfix 22291. However, there is still a known issue with DMA 7.1 post Hotfix 22291, which is included in DMA 7.1 Hotfix 35418, and is still an issue with DMA 7.2. (Please refer to the Relase Notes for DMA 7.2 for more information - \Program Files\NetIQ\DMA\Documentation\ReleaseNotes.htm)

fix

Use the following procedure to replace the SecTransToDo query in the DMA Protar, as well as the SecTransToDo query in each of the Project databases. The Protar database is used when running the Global migration wizards outside of a project.

For the Protar database (\Program Files\NetIQ\DMA\Protar.mdb):

  1. Open the desired project database using Microsoft Access.
  2. Select Queries from the Objects list on the left hand side.
  3. Select the SecTransToDo query.
  4. Right-click and select Design View.
  5. Delete the existing data in the query.
  6. Copy the following query into the window.


    SELECT AccountRefs.Server, AccountRefs.DomainName, AccountRefs.Account, AccountRefs.RefType, "Untranslated" AS Mode
    FROM MigratedObjects INNER JOIN AccountRefs ON (MigratedObjects.SourceDomain = AccountRefs.DomainName) AND (MigratedObjects.SourceSamName = AccountRefs.Account)
    WHERE (((AccountRefs.RefCount)>0) AND (([AccountRefs].[Server]+'\'+[AccountRefs].[DomainName]+'\'+[AccountRefs].[Account]+'\'+[AccountRefs].[RefType]) Not In (Select SecurityTranslation.Server + '\' + SecurityTranslation.DomainName + '\' + SecurityTranslation.Account + '\' + [SecurityTranslation].[RefType] from SecurityTranslation where Status > 0 order by DomainName, Account)) AND ((MigratedObjects.SidHistory)=False))
    UNION ALL SELECT AccountRefs.Server, AccountRefs.DomainName, AccountRefs.Account, AccountRefs.RefType, "Untranslated" AS Mode
    FROM MigratedObjects INNER JOIN AccountRefs ON (MigratedObjects.SourceDomain = AccountRefs.DomainName) AND (MigratedObjects.SourceSamName = AccountRefs.Account)
    WHERE (((AccountRefs.RefCount)>0) AND (([AccountRefs].[Server]+'\'+[AccountRefs].[DomainName]+'\'+[AccountRefs].[Account]+'\'+[AccountRefs].[RefType]) Not In (Select SecurityTranslation.Server + '\' + SecurityTranslation.DomainName + '\' + SecurityTranslation.Account + '\' + [SecurityTranslation].[RefType] from SecurityTranslation where Status > 0 order by DomainName, Account)) AND (((AccountRefs.RefType) Like 'Profile*') OR ((AccountRefs.RefType) Like 'Profile%')) AND ((MigratedObjects.SidHistory)=True));


  7. Close the window to save the changes

 

For the project databases (\Program Files\NetIQ\DMA\Projects\project_Name\project_Name.mdb):

  1. Open the desired project database using Microsoft Access.
  2. Select Queries from the Objects list on the left hand side.
  3. Select the SecTransToDo query.
  4. Right-click and select Design View.
  5. Delete the existing data in the query.
  6. Copy the following query into the window.


    SELECT AccountRefs.Server, AccountRefs.DomainName, AccountRefs.Account, AccountRefs.RefType, "Untranslated" AS Mode
    FROM SelectedObjects, MigratedObjects INNER JOIN AccountRefs ON (MigratedObjects.SourceDomain = AccountRefs.DomainName) AND (MigratedObjects.SourceSamName = AccountRefs.Account)
    WHERE (((AccountRefs.RefCount)>0) AND (([AccountRefs].[Server]+'\'+[AccountRefs].[DomainName]+'\'+[AccountRefs].[Account]+'\'+[AccountRefs].[RefType]) Not In (Select SecurityTranslation.Server + '\' + SecurityTranslation.DomainName + '\' + SecurityTranslation.Account + '\' + [SecurityTranslation].[RefType] from SecurityTranslation where Status > 0 order by DomainName, Account)) AND ((MigratedObjects.SidHistory)=False)
    and SelectedObjects.SourceSam = AccountRefs.Account and SelectedObjects.SourceDomain = AccountRefs.DomainName )
    UNION ALL SELECT AccountRefs.Server, AccountRefs.DomainName, AccountRefs.Account, AccountRefs.RefType, "Untranslated" AS Mode
    FROM SelectedObj.
    ects, MigratedObjects INNER JOIN AccountRefs ON (MigratedObjects.SourceDomain = AccountRefs.DomainName) AND (MigratedObjects.SourceSamName = AccountRefs.Account)
    WHERE (((AccountRefs.RefCount)>0) AND (([AccountRefs].[Server]+'\'+[AccountRefs].[DomainName]+'\'+[AccountRefs].[Account]+'\'+[AccountRefs].[RefType]) Not In (Select SecurityTranslation.Server + '\' + SecurityTranslation.DomainName + '\' + SecurityTranslation.Account + '\' + [SecurityTranslation].[RefType] from SecurityTranslation where Status > 0 order by DomainName, Account)) AND (((AccountRefs.RefType) Like 'Profile*') OR ((AccountRefs.RefType) Like 'Profile%')) AND ((MigratedObjects.SidHistory)=True)  and SelectedObjects.SourceSam = AccountRefs.Account and SelectedObjects.SourceDomain = AccountRefs.DomainName);

  7. Close the window to save the changes

 

.


fix

If you are unable to apply this query to your production Domain Migration Administrator (DMA) install, please use one of the following workarounds:

  1. Translate security for all profiles for a user at the same time.  When running the Translate Security Settings wizard, on the Computer Selection screen, you must click Add and select all the computers.
  2. Deselect the sid History checkbox in MigratedObjects table of the Protar.mdb, for the desired user account(s).


note
To have this change propagate each time you create a new project, perform the project related steps above on the Project template database. (\Program Files\NetIQ\DMA\Projects\Project.mdb)

note
The Analyze button is designed to populate the Security Translation wizard with any machines where the selected user and/or group accounts have permissions, or profiles. This is only available after having run the Impact Analysis reports. The intention is that this functionality will be used for general Add mode translation when using the Translate Security Settings wizard against accounts that have not been migrated with sid history or for easily selecting the machines where accounts that were migrated with sid history, have local user profiles. 

Additional Information

Formerly known as NETIQKB19484